House of Lords - Science and Technology

Hansard

Archives

Research

HOC Publications

HOL Publications

Committees

Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 900 - 919)

TUESDAY 17 APRIL 2007

MR ACHIM KLABUNDE, MS MARGARETA TRAUNG, MS ZINAIDA YUDINA, MR ANDREW SERVIDA AND MR ROGIER HOLLA

Q900 Chairman: It would be helpful if you could say who is speaking as the picture we have of you in Brussels is a little confusing as to which of you is speaking, and it would be very useful for our transcript. So who was that who made that useful comment?

Mr Klabunde: I am Achim Klabunde.

Q901 Lord Sutherland of Houndwood: I appreciate that lack of data and definitional problems mean that some of these questions will have to wait and we will certainly take the first one up with the Commissioner, but I wonder if you have any sense at all of whether or not countries that have a fairly high broadband penetration are affected disproportionately in any way? The UK, for example, has a comparatively high broadband penetration. Does this make it more susceptible to economic loss in this area, do you know?

Mr Servida: I do not have data so precise as you are requesting. On the other hand, we have been looking at analyses which of course make the connection between what is the potential and the risk of attacks with respect to the deployment of broadband and deployment of advanced technologies because where you have much better or more efficient connectivity it is also working for those who have malicious intentions in the sense that they have more opportunities and a much easier time to attack users who are connected. So the analysis is to some extent an analysis more by implication than by statistics, and we want to do this in order not just to have the data but indeed to follow up what is the effectiveness of policy-making, I suppose at a European level. Firstly I think it would also be good—to have this shared with Member States—is to develop and try to come up with a set of indicators that could be somehow shared by all of the Member States so that in Europe we can have a sense of what are the types of problems and how the policy intervention, the review of the intervention, the technological developments, the adoption of perspectives are indeed changing the features that we would be able to characterise via these indicators. Of course, what we would like to do is to develop such indicators in close connection with Member States because we know that there are a number of Member States who have already developed these types of indicators, these measures, these statistics, and we think we need to learn from those who have already made an effort in this respect in order to possibly spread the best practice that is there in order to come up with direct data for Europe as such and for the Member States in Europe, instead of having to struggle somehow on how to extrapolate from data, which has been developed either for the world as such or from just a region in the world, what might be the type of scenario that we have in Europe.

Chairman: I will turn now to Lady Sharp, who is on my left, to ask the next question, please.

Q902 Baroness Sharp of Guildford: Could I start by asking you what are the legal bases for EU action and how far do you see Europe's role in driving forward the standards for Internet security? Can Europe move fast enough to keep pace with the changing threats?

Mr Klabunde: As far as the legal basis is concerned I can answer that in so far as the regulatory framework for telecommunications is concerned, which is also the point that was mentioned during the preparation. Here, of course, the main concern for all regulatory actions, not only for those related to security, is the harmonisation of the internal market of the EU, which is based on Article 95 of the Treaty. As far as security- related provisions in the framework are concerned, of course it is quite important for operators which work on a Europe-wide scale to have similar market conditions in whatever Member States and not having to comply with 27 different regimes. So there is an interest of harmonisation. Of course there are other domains on which, due to my responsibility, I would rather not comment in detail. I just mention that in the Treaty on the European Union, as opposed to the Treaty on the European Communities, we have the activities of the Judicial and Police Corporation, which also enable the Commission to support initiatives, but as my colleague, Andrea Servida, has already pointed out, this is not in the main competence of the DG Information Society but in the main competence of Vice President Frattini and of the DG for Justice, Freedom and Security.

Mr Servida: If I may just complete what Achim just said? Indeed, Article 95 is the legal base that we are using for any review for intervention. I must say that what we have adopted as a strategy for Network Information Security is indeed a mix of review of the activities which are addressed to specific issues or problems that we see emerging or that we see as extremely critical, or that we are addressing in view of the ongoing activity on the review of the regulatory framework for electronic communication. Then we have a lot of what we think needs to be done boils down to, I would say, a partnership where we believe there is a lot to be gained by co-operation between public bodies and the private sector. In particular because we see that the complexity of the scenarios and the threat in the private sector is somehow the main player, together with the user, of course, in the Internet, which makes the private sector an important player to act and to be somehow stimulated to act to improve the level of security of the Internet and Information Society. To come to the second part of your question on the standards, I would like to say that to some extent to facilitate and support even more of these public/private partnerships we established in 2004 the European Network and Information Security Agency, ENISA, which is based in Crete, whose legal base is Article 95, and one of the tasks that ENISA is to carry out is indeed the one of following and stimulating the discussion and the co-operation of the private sector with Member States in the area of standards. Of course, standardisation is a changed scheme, if I may so, in particular in these areas over the last 20 years and in particular because the technical developments are so fast that indeed we have assisted with the development of more and more de facto standards. I think that Europe has to play a role there and we are motivating, I would say, the private sector and our European standardisation body to play a more proactive role in the area of network information security, and in this respect I would remind you of the Network Information Society Steering Group, which is an activity jointly managed by CEN and ETSI, which has recently adopted a survey of what are the network information security standards that are critical and important for the development of our Information Society. This report is available from the ETSI website and it contains also a number of recommendations for what is to be the way forward and how to improve the standards in those areas that indeed deserve further improvement.

Q903 Baroness Sharp of Guildford: Thank you very much. Can I add a rider to the replies that you have given me? Under Article 95 presumably you are, as you have indicated, taking forward issues of consumer protection and the single market, but you were indicating that under the justice pillar of the EU Treaty there were very limited powers that you have. But what powers does the Commission have to promote, say, co-operation in policing or mutual legal assistance? Do they have any powers here?

Mr Klabunde: I am sorry if I have not expressed myself clearly enough. When I said it was outside my competence in speaking for the DG Information Society for Media, this is not our competence; but the Commission's DG Justice, Freedom and Security has of course a stronger mandate in this direction to facilitate co-operation of police and in the judicial domain. But that is not in the responsibility of the persons who are sitting at this table today, which is why we would prefer not to comment in detail on these matters.

Mr Servida: If I may just complete the picture because there are also colleagues in Luxembourg who have regular contact with my work colleagues in the DG JLS. In the area of cyber crime our police are working on communications and we have been coordinating our activities, the activities for our strategy of communication of last May, and what indeed they are doing themselves in the area of the coordination of the investigation system and the enforcement agencies and improving efficiency of the judicial system, and we have coordinated our work together in order to aim at the same direction although using instruments that are completely different. In this respect I do not know if our colleagues in Luxembourg would like to say something in this respect? Our colleagues are dealing with the programme on safer use of the Internet and they are actually looking at aspects like child pornography and fighting illegal content and that, in terms of the judicial system and activities, is being handed by the JLS. But in terms of technological and project type of development, these are indeed promoted by my colleagues in Luxembourg and I do not know whether they would like to say something in this respect?

Q904 Chairman: Would you like to add something from Luxembourg?

Ms Traung: Yes. As far as the Safer programme is concerned for the time being we do not have a lot of co-operation going on with DG JLS but in the future we will try to enhance the co-operation and have closer contacts.

Mr Klabunde: I would make an additional remark, if you would allow me? As I said, I would not want to comment in detail on the interpretation of the legal basis in this respect, but on the ground there is ample co-operation between DG Information Society and D-G JLS on these matters—on cyber crime, on identity theft, on different actions against malicious activities on the Web. So I would just avoid the impression that is created that there is no connection. We are mainly working on the legal basis that we have commented on here, while the third pillar activities are not in the focus of our responsibility and that is why we would not want to make any statements on behalf of colleagues who are not present today.

Chairman: Thank you. I will turn now to Lady Hilton for the next question.

Q905 Baroness Hilton of Eggardon: Good afternoon. You were talking about the need to stimulate organisations to improve personal Internet security. What incentives do you think will be offered to ISPs, banks and so on, and are you doing things to improve incentives between countries, better harmonisation procedures?

Mr Klabunde: This of course relates to the proposals or the considerations that the Commission has put forward in its working document for the review of the electronic communications regulatory framework, where three options were considered in the context of security-related measures in the framework. One consideration is to find a way of making providers responsible to notify security incidents which lead to the disclosure of personal data or to interruptions of service to the competent authorities. Another one was to update already existing provisions which concern network integrity, to be aligned to the technological development. And the third one of course is to empower the national regulatory authorities to be more detailed in monitoring the providers and their responsibilities with respect to security measures actually taken on the networks, and to give more precise indications on these issues than is possible under the current system. These are measures which in total could have the effect of increasing the economic incentives to invest in security, of course, in line with other non-regulatory aspects like awareness of the general public and everybody about security risks and a better assessment of the situation by users, by citizens and so on. Maybe my colleagues would like to add something? No.

Q906 Baroness Hilton of Eggardon: Could we turn to the draft Payment Services Directive, which I understand will reduce the level of protection offered to customers who are victims of card fraud? When we visited the United States recently we were told that customers were only liable for the first $50 and beyond that banks were liable for credit card frauds. Do you see the EU moving towards a position like that in the United States, where banks are legally liable for losses due to online fraud?

Mr Klabunde: I am sorry, we are not at the moment prepared to answer this question.

Mr Holla: We are not working on this particular issue. It sounds like something that may be handled by the DG for Internal Market and services maybe in co-operation with DG for Justice, Freedom and Security. I think it is better to direct this question to Commissioner Frattini and DG Justice, Freedom and Security.

Q907 Chairman: Let me ask the next question. At the moment all sorts of risks are imposed upon the consumers, for instance by means of end-user agreements, that the consumer will sign very often without fully understanding. However, it has been suggested to us that the key players in the industry—that is the software manufacturers, the retailers, the ISPs and so on—should be made liable for the consequences of security breaches, at least in so far as they can be shown to have been negligent. What do you think about this notion?

Mr Klabunde: When the staff working document of the Commission was prepared it was published together with the communication on the proposals for the regulatory framework of electronic communications. The Commission also collected evidence and assessed all available research and studies, including the data provided by Bruce Schneier and Ross Anderson and colleagues, which you heard, as I understand, in the Committee, and this element has been taken into account in their considerations and will be taken further into account in the decision of what the Commission will propose. The measures that are envisaged are to some extent justified by the assessment that there may be means to increase the responsibility of the economic actors that are in a position to increase the efforts to do more to reduce the problem. But the Commission does not rely exclusively on regulatory aspects, it is at the same time working in partnership with these entities to find a way where everybody can really take their share of the liability and the responsibility and step up their efforts to solve the problem or to increase security by the most appropriate measures, and it is not always necessarily a regulatory approach which proves to be the most successful, so that is part of an overarching strategy which also involves partnership and empowerment, as was pointed out earlier by my colleague, Andrea Servida.

Q908 Chairman: So I would gather from that there is little impetus within the European Commission to generate a liability regime which would have teeth and would be able to place responsibility with the various partners. I am hearing you say that you feel and the Commission feels that this is just a matter of sharing the responsibility around without making anybody legally responsible for carrying a particular responsibility; would that be correct?

Mr Klabunde: You would not expect me to agree to the statement with the words that you used. I would only want to mention that as far as the aspect of consumer protection is concerned and the contractual and licence aspect that you mentioned, our colleagues in the DG for Health and Consumer Protection are looking in the consumer protection acquis while we are speaking, basically, and are also pursuing initiatives to look into these aspects for potential improvement. But I am not, unfortunately, in a position to make any statement of the state of advancement of these proceedings at this moment.

Chairman: Thank you very much. Lord Sutherland, please.

Q909 Lord Sutherland of Houndwood: Do you have a view about the value of security breach notification laws, such as my colleagues saw operating in over 30 States in the USA? Do you have a view at all about this?

Mr Klabunde: There are statements even from authorities in Europe which say that as long as we do not have a mandatory notification we do not receive notifications, which means that we cannot prove how big the problem is, which means that we do not have resources to go after this problem, which means that we can do nothing about it, which means that nobody will relay information on this to us. So there are statements which say that there is a vicious circle as long as the problem is not made known—that nobody will start to fight it and as long as there is nobody fighting it, there is no notification about it. So this would suggest that there is an impact of mandatory notifications if they are implemented in the proper way and in the most efficient and most effective way that would help to better assess measures to be taken to counteract the security problems which are behind these breaches.

Q910 Lord Sutherland of Houndwood: I am fascinated by the circle that you have drawn there but I understand that the Commission has some draft proposals on security breach notification. These, however, are limited to telecom companies only. The question is bound to be: would it not make more sense to apply these to all companies holding personal data in electronic form?

Mr Klabunde: I would not want to enter into this point as it is slightly out of my organisational competence at this moment. What I can say is that we have the impression that it is worthwhile to look at this issue, in particular for the telecoms sector and not to simply ignore it while we are in the process of reviewing the telecom sector regulatory framework.

Q911 Lord Sutherland of Houndwood: Perhaps this is one that we can take up with the Commissioner but I wondered if you had had as much publicity in other Member States in Europe as we have had about the recent leak of information held by TK Maxx, which has had a big impact on the general public's perception of the problem?

Mr Klabunde: We have seen reports in recent months for several of these cases which hit the Press—not limited to the UK. We even had a case where a telecoms operator was taken to court by a national authority for a case of leak of personal data, and of course there is lots of data from the United States where, as you stated, quite a lot of state level laws exist, but there is no reason to assume that the problem is any smaller in Europe than anywhere else.

Q912 Baroness Sharp of Guildford: To some extent this brings us to the E-Privacy Directive. This, I gather, requires communication providers to keep their networks secure. Are you satisfied with the enforcement of these provisions? Do national enforcement agencies, such as the Information Commissioner in the UK have sufficient teeth to enforce it properly?

Mr Klabunde: As I have said earlier, one of the measures that are being considered in the context of the review is indeed to strengthen the provisions which are there regarding security in order to give more opportunities to the national regulators to enforce proper implementation of security measures in the network. We are currently in the process of assessing in detail the issue and looking into the matter to be able to more precisely find a way as to how to do this in the actual proposal of the Commission.

Q913 Baroness Hilton of Eggardon: If we can turn to email spam and its problems. We have heard a lot of complaints about spam. What is being done at EU level to counteract this problem and is there any scope for raising the level of fines or blocking loopholes, such as business-to-business spam? Do you have any plans in this direction?

Mr Schik: The latest action the Commission took in the area of spam was to publish a communication on the fight against spam spyware and malware, which was released last November. We actually took stock of the efforts that have been undertaken so far on Member State level, by industry, but also identified a number of actions that could be taken up because, as part of the communication, we also set out the fact that the problems are increasing, they are not decreasing and, as was stated before, it is becoming more criminal so there is all the more reason to be proactive also on the Member State level. As part of the recommendations we made in this communication is the emphasis that the need to have a number of critical success factors within central government, which was that first of all we had to struggle with the particular government to actually do something about the problem. It was also to have a clear organisational responsibility within the Member State as to which agency is actually responsible for the fight against spam and related threats, and moreover as part of that strategy to have adequate resources being given to that agency to actually take up the fight because it is quite a knowledge-based activity—you need to have the skills and the knowledge to do online investigation and you need to have some staff dedicated to follow up on complaints that you may receive. So these are a number of suggestions we made in this communication. As far as the legal basis for these activities is concerned regarding the ePrivacy Directive, it is already there. So the ePrivacy Directive already provides for—for example, you mentioned the spam business-to-business—Member States are free to either opt in or opt out of business-to-business emails, and we see that in quite a lot of Member States sending spam between companies is not allowed. So it Member States are free to make a decision there, as sending spam to consumers is banned altogether but for business-to-business Member States can decide to either opt in or opt out. As far as fines are concerned, spam is quite a lucrative business so if you want to stop spammers by enforcing the anti-spam law you have to ensure that you have fines that are a deterrent—if that is the proper work—that you have fines which actually scare people who are considering to spam others. The ePrivacy Directive allows for these fines to be set but of course it is again for Member States to set the height of these fines—it is not something that the Commission prescribes, it is something that is within the discretionary rule of Member States to decide upon. Further initiatives which I might touch upon to give you some ideas, the Commission provides for a network of spam enforcing authorities, the CNSA who meet two or three times a year, to exchange best practice on how to fight spam and to work closely together and to get the type of cross-border enforcement co-operation in place because, as you are no doubt aware, it is a global problem so we need to have good co-operation set up with other countries in order to actively and successfully catch spammers. This organisation is not the only initiative, plus there is also another which is called the 'London Action Plan', which does more or less the same thing as the CNSA but on a global level so, for example, it covers the US, Australia and Asian countries.

Q914 Baroness Hilton of Eggardon: In the United States action has been taken against spammers by private companies such as AOL and Microsoft. Do you think it should be made much easier in Europe for companies to take similar action?

Mr Klabunde: I refer again to our working paper and the communication on the regulatory framework where one of the elements considered is also to create a better option to take legal action on civil law level against spammers. So that is an element which is under consideration.

Q915 Chairman: May I ask you a few questions about ENISA? First of all what is ENISA intended to achieve? Is it doing a good job? And why was it located in Crete where there is an exceptionally low level of Internet penetration?

Mr Holla: That is rather a lot to answer in the time span that is allotted for this meeting! First of all, what is ENISA to achieve? It is a last of tasks establishing regulation—I will give you the highlights—to a collection of appropriate information in order to analyse current and emerging risks; to provide European parliaments, Commission, European bodies and competent national bodies with advice and hence going between different actors operating in the field of network and information security, in particular in the private sector and the public sector, and facilitate co-operation between the Commission and the Member States. These are the most important tasks given the agency. Then is the agency doing a good job? First of all, I should say that the agency has only been operational for a relatively short period of time. Although the regulation established the agency in 2004, in practice it took up its duties in September 2005 in Heraklion, so it is only one and a half years that they have been able to work on operational issues. There has been an evaluation report; the Commission has contracted an external consulting company to do an analysis of the first results that became available. We have recently received this report and it will be published this week on the website of the Commission, available to all. The report makes some criticism and gives some advice for things that could be done better but the overall tone is quite positive. The agency originally has been established for a period of five years and the report advises that the mandate of the agency be extended. So is ENISA doing a good job, the short answer would be yes. Why has it been established in Crete? This is a decision of the Council of Ministers and the relevant national government. It is the Council that decides upon locations of agencies and the Council decided to place this agency in Greece and it was subsequently the Greek government that decided that Heraklion would be its seat.

Chairman: Thank you, that is a very precise and useful answer. May I turn to Lord Sutherland for the next question, please?

Q916 Lord Sutherland of Houndwood: This concerns an issue that we have come across in our investigations and to some extent a side issue, but since there has been reference to Europe in the evidence we have had we thought we would ask if you had views on this. It concerns the inability of Voice over IP companies to provide emergency 999 calls for police, fire, ambulance and so on. Ofcom, the industry regulator here, told us that the European Union rules are partly to blame for this. Is that accurate and, if it is, why?

Mr Klabunde: The accessibility of emergency numbers from the different types of networks is indeed an issue which is one of the elements considered in the electronic communications regulatory framework. The current version of this obligation is imposed on fixed line operators exclusively, as it was considered to be sufficient at the time of the last revision. It is one of the aspects taking into account the increasing importance of mobile networks and of Internet- based networks on how to implement a proper way of accessing emergency numbers in this context. So this is indeed an issue being considered.

Q917 Lord Sutherland of Houndwood: Thank you very much, that is helpful. Is there any timescale on when a decision might be taken on this?

Mr Klabunde: The Commission has published a timetable for the review which says that the adoption of the proposals by the Commission is foreseen in the summer of 2007.

Q918 Chairman: May I ask you a fairly general question about the Internet? The Internet is inherently international; do you feel that Europe is working well with the rest of the world on these issues of the Internet, with America, or locally with Eastern Europe and with the Far East? Do you think that good international co-operation has been established?

Mr Holla: This is a difficult one to answer because the Internet is so pervasive and it is not a single, let us say, part of the Commission or even a single Commissioner under whose responsibility contacts take place with the United States, the Far East and other partners on the Internet—this is a vast area. I personally have some experience in the area of cyber crime, which I dealt with a few years ago. There we had extensive contacts in the framework of G8, which prepared recommendations on this issue and in the Council of Europe which adopted a cyber crime convention. So in that area there is a good international contact. I do not think that anyone here around the table is qualified to speak for the other areas with which we have contacts with third countries. So I am not able to give you an all-inclusive answer to this question.

Chairman: Thank you, that is still useful. If I could turn to Lady Sharp.

Q919 Baroness Sharp of Guildford: Can I come back to the issue of child protection, which we touched on earlier? Could you tell us what action is being taken at EU level to promote safety on line, particularly the safety of children?

Ms Traung: One of the main actions under the Safer Internet programme is to set up a network of awareness raising nodes in the Member States and the purpose of these nodes is to promote safer use of the Internet, particularly by children.

Ms Yudina: This year we have a particular emphasis on fighting sexual abuse images on the Internet, and there are several areas where we want to contribute in this field. For instance, in May there should be a meeting with Russia on fighting child sexual abuse imagines together on an official level. (Loss of sound connection) We also try to promote co-operation between law enforcement agencies and encourage development of technology for the specific use of police for the analysis of child abuse materials. We are also planning to co-operate with the European financial institutions who can be used as a chain of distribution of evidence of the child abuse material, and we would like to put them together to communicate how they can contribute to the fighting of sexual abuse images on the Internet. The Commission is also planning to arrange a round table meeting with handset manufacturers to foster the development of common standards for handsets that can be safer for children. This is what our programme is doing now.